RussKill is another DDoS bot that is controlled by a web panel, where users can send commands to their bots and start to attack a specified website using two methods of DDoS:

HTTP-Flood that generates threaded queries to the index page of the website and try to make the attacked web page inaccessible from regular users, making the server output a “Network Timeout” error. This kind of attack can also crash the web server if the queries are not properly filtered by a firewall software.

SYN-Flood that send a series of SYN requests to the target system using spoofed IPs. When the target system tries to send the SYN-ACK message to the IP address that sent the SYN request, the spoofed IP can not send back the ACK message and the target system waits for the message.

The features described by the author of RussKill are:

- Bot is hidden from user
- Bot accept HTTP or HTTPS
- Bot protects its registry keys and values making hard the removal of these
- User can select the type of attack and the number of threads to use
- Powerful SYN-Flood
- Bot can attack on a custom port, domain:port
- User can select connection delay for a bot to connect to the web panel
- PHP and MySQL admin panel system

The bot is sold with the admin panel for 300 $ USD and the author offers a rebuild for a new domain for 50 $ USD.

We found a sample of the bot and Steve has unpacked the sample (with VMUnpacker), following there is interesting data extracted:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

.aspack
.adata
SOFTWARE\Borland\Delphi\RTL
FPUMaskValue
TThreadLocalCounter
0.0.0.0
127.0.0.1
255.255.255.255
%d.%d.%d.%d
0.0.0.0
ws2_32.dll
wship6.dll
localhost
SF_Any
SF_IP4
SF_IP6
TSocksType
ST_Socks5
ST_Socks4
TSSLType
LT_all
LT_SSLv2
LT_SSLv3
LT_TLSv1
LT_TLSv1_1
LT_SSHv2
MaxLineLength(
MaxSendBandwidth(
MaxRecvBandwidth(
MaxBandwidth
InterPacketTimeout(
SendMaxChunk
StopFlag(
TSocksBlockSocket
OnCreateSocket
SocksIP
SocksPort
SocksUsername
SocksPassword
SocksTimeout
SocksResolver
SocksType
HTTPTunnelIP
HTTPTunnelPort
HTTPTunnelUser
HTTPTunnelPass
HTTPTunnelTimeout
TCustomSSL
Synapse TCP/IP Socket error %d: %s
Proxy-Authorization: Basic 
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)
open
.exe
..w.i...n.f...d...d...
\memosssf.ini
\system32
\system32\
.exe
 /uninstall /silent
\System32\
\System32\lkdir.dll
\System32\lkdir
.dll
 /install /silent

From the above data we can see the bot was compiled with Delphi, it uses the Synapse TCP/IP component for connections and it was packed with ASPack:

.aspack
.adata

We can see the user agent the bot will use for the DDoS attacks:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)

We can see a reference to system32\ and to a file named lkdir.dll. We can also see the file name that the bot will gain when it is installed in the victim’s computer:

..w.i…n.f…d…d.. -> winfdd.exe

The bot looks like to support also command line parameters:

/install /silent

When the program is executed, it creates the following files:

1
2
3
4

%User%\Local Settings\Application Data\microsoft\windows\wtnmm.exe
%User%\Local Settings\Application Data\microsoft\windows\winfdd.exe
%User%\Local Settings\Application Data\microsoft\windows\95548.exe
%User%\Start Menu\Programs\Startup\wtnmm.exe

The program creates the following entries in the registry:

1
2

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell:
explorer.exe, "%User%\Local Settings\Application Data\microsoft\windows\wtnmm.exe"

The bot established connections with one main IP address on the port 80, that we assume it is the web panel of the bot:

1

115.100.250.104 -> akakalat.com

We can see from the following traffic that the bot received a list of urls:

1
2
3
4
5
6
7
8
9
10

GET /779/s.php HTTP/1.0
Host: akakalat.com
 
[|250|60hxxp://www.cian(dot)ru/cat.php?type=2
hxxp://www.cian(dot)ru/cat.php?suburbian=yes&deal_type=2&object_type[1][|250|60hxxp://tvshowstock(dot)com
hxxp://dvdglee(dot)com/hot.php
hxxp://dvdorder3online(dot)com/products/MI5Spooks-Seasons-1-8-DVD-Boxset-DVDS-1934.htm]0|150|60hxxp://www.dvdcollects(dot)com/products/Lost-complete-Seasons-1-5-DVD-Boxset-DVDS-1664.html
hxxp://dvdsetshop16(dot)com/products/Farscape-Complete-Seasons-1-4-DVD-Boxset-DVDS-1466.html
hxxp://dvdcollects10(dot)com/List.aspx?CatID=13
hxxp://dvdsonyk(dot)com

After the bot has received the above traffic, it generated a file named thumbcac_888.db which contains the links and the commands to execute:

1

%User%\Local Settings\Application Data\microsoft\windows\thumbcac_888.db

The bot started now to visit all the links from the thumbcac_888.db file and one of the links contains obfuscated javascript that redirect the victim to another malicious link:

1

/List.aspx?CatID=13&"+decoder();

Decoded:

1

/List.aspx?CatID=13&jdfwkey=b9ogg2

After more than 24 hours of running we noticed some Internet Explorer windows open, that contained false security scans and fake security warnings, a common symptom of a rogue security software.

Posted by admin on Wednesday, February 10th, 2010 at 12:22 am and filed under Malware Analysis, Security News with tags bot, ddos, russkill. You can skip to the end and leave a response. Pinging is currently not allowed.